Control: forwarded -1
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5012
Hi,
coincidentally, I’ve been working (well, experimenting would be better word)
with
reducing the contention in the memory allocator and the first patch in the
branch
might help with the initialization time. Not so much with contention, for that
the
work on the branch will have to be complete (e.g. this will go into upstream
9.18,
not 9.16), but I thought you might be interested in the work in progress.
This particular branch is very fresh, but I have at least 3 or 4 different
approaches
with different experiments.
Ondrej
--
Ondřej Surý (He/Him)
ond...@sury.org
> On 2. 5. 2021, at 9:16, root <russ...@coker.com.au> wrote:
>
> Package: bind9
> Version: 1:9.16.13-1
> Severity: normal
>
> May 2 16:38:37 sjl named[7372]: listening on IPv4 interface lo, 127.0.0.1#53
> May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4,
> 10.0.2.45#53
> May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4,
> 10.0.40.1#53
> May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4,
> 10.0.40.2#53
> May 2 16:38:37 sjl named[7372]: listening on IPv4 interface eno4,
> 10.0.40.3#53
> [...]
> May 2 16:39:33 sjl named[7372]: listening on IPv4 interface eno4,
> 10.0.47.0#53
> May 2 16:39:33 sjl named[7372]: listening on IPv4 interface eno4,
> 10.0.48.0#53
> May 2 16:39:33 sjl named[7372]: listening on IPv4 interface eno4,
> 10.0.49.0#53
> May 2 16:39:33 sjl named[7372]: listening on IPv6 interface lo, ::1#53
>
> On a system with 2560 extra IPv4 addresses for test purposes a default
> configuration of bind9 takes one minute on a reasonably fast 64bit system (two
> E5-2620 CPUs). See the above for example startup log entries.
>
> May 2 16:39:36 sjl named[7372]: zone localhost/IN: loaded serial 2
> May 2 16:39:36 sjl named[7372]: all zones loaded
> May 2 16:39:36 sjl named[7372]: running
> May 2 16:39:36 sjl named[7372]: socket: file descriptor exceeds limit
> (123273/21000)
> May 2 16:39:36 sjl named[7372]: managed-keys-zone: Unable to fetch DNSKEY
> set '.': not enough free resources
> May 2 16:39:36 sjl named[7372]: socket: file descriptor exceeds limit
> (123273/21000)
>
> Then the startup doesn't complete properly with errors like the above.
>
> OPTIONS="-u bind -S 150000"
>
> Putting something like the above in /etc/default/named fixes the errors, but
> it still takes a long time and really 150,000 file handles shouldn't be
> required for 2560 IP addresses.
>
> listen-on { 10.0.2.45; };
>
> Putting the above in named.conf.options got it to work correctly in this
> regard. But I expect it to not use unreasonable amounts of resources without
> that configuration.
>
> -- System Information:
> Debian Release: bullseye/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 5.10.0-6-amd64 (SMP w/24 CPU threads)
> Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
> Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_AU:en
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: SELinux: enabled - Mode: Permissive - Policy name: default
>
> Versions of packages bind9 depends on:
> ii adduser 3.118
> ii bind9-libs 1:9.16.13-1
> ii bind9-utils 1:9.16.13-1
> ii debconf [debconf-2.0] 1.5.75
> ii dns-root-data 2021011101
> ii init-system-helpers 1.60
> ii iproute2 5.10.0-4
> ii libc6 2.31-11
> ii libcap2 1:2.44-1
> ii libfstrm0 0.6.0-1+b1
> ii libjson-c5 0.15-2
> ii liblmdb0 0.9.24-1
> ii libmaxminddb0 1.5.2-1
> ii libprotobuf-c1 1.3.3-1+b2
> ii libssl1.1 1.1.1k-1
> ii libuv1 1.40.0-1
> ii libxml2 2.9.10+dfsg-6.3+b1
> ii lsb-base 11.1.0
> ii netbase 6.3
> ii zlib1g 1:1.2.11.dfsg-2
>
> bind9 recommends no packages.
>
> Versions of packages bind9 suggests:
> pn bind-doc <none>
> ii bind9-dnsutils [dnsutils] 1:9.16.13-1
> ii dnsutils 1:9.16.13-1
> pn resolvconf <none>
> pn ufw <none>
>
> -- Configuration Files:
> /etc/bind/named.conf.local changed:
> //
> // Do any local configuration here
> //
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> //include "/etc/bind/named.conf.postal";
>
> /etc/bind/named.conf.options changed:
> options {
> directory "/var/cache/bind";
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
> // forwarders {
> // 0.0.0.0;
> // };
>
> //========================================================================
> // If BIND logs error messages about the root key being expired,
> // you will need to update your keys. See https://www.isc.org/bind-keys
>
> //========================================================================
> dnssec-validation auto;
> listen-on { 10.0.2.45; };
> listen-on-v6 { any; };
> };
>
> /etc/default/named changed:
> RESOLVCONF=no
> OPTIONS="-u bind"
>
>
> -- debconf information:
> bind9/start-as-user: bind
> bind9/different-configuration-file:
> bind9/run-resolvconf: false
>
